I was wondering whether an Admin password like "gW%94Slkx" on a laptop is any safer than, say, "abc" if your HDD is not encrypted. If you lose your laptop or if it gets stolen, all your data is easily accessible anyway. And there are shareware/freeware utilities to recover the password anyway. Any good reason for the finger excersise every time I start up my laptop?

9 Answers
9

I'd say yes, you should always use a password on a laptop. As for a very secure password, it probably isn't necessary. Thieves and such aren't known for being the brightest bulbs in the chandelier. Chances are, if your laptop gets stolen, the thief is just looking to make a quick and dishonest buck and even a basic dictionary password will keep them out.

title="Actual actual reality: nobody cares about his secrets. (Also, I would be hard-pressed to find that wrench for $5.)"
–
Kevin PankoAug 19 '09 at 21:08

3

The majority of the laptop thefts are for the hardware's resale value, rather than for the information within. If it's not encrypted, the password can easily be removed, or bypassed with a liveCD. Most people who steal laptops will put on a crackedf copy of Windows and sell it on.
–
DentrasiAug 19 '09 at 21:13

Sure. Tying your bike to a tree with a rope is more secure than not tying it at all. The fact that there are ways around some security-devices doesn't mean you're just as vulnerable without them. Even if you're not encrypting your data, use a strong password because it will still offer some degree of protection. In all honesty, the degree of protection a strong password offers will be sufficient in many cases to protecting your data - not all laptop thiefs are smart enough to pull the HD out, and reconnect it elsewhere.

There is about 200 000 combinations even for 3 letter passwords (lower- and upper-case letters). I wouldn't compare that to "not tying a bike to a tree". Of course I wouldn't leave my laptop without any password at all.
–
BorekAug 19 '09 at 20:32

But is tying your bike up with an inch-thick chain better than a half-centimetre chain? I've always figured if a thief is going to carry about bolt cutters, they'll carry around big ones.
–
John FouhyAug 21 '09 at 3:16

@John That analogy doesn't really work. That's like suggesting if somebody is going to steal a laptop, they're only going to do so if they're really smart.
–
SampsonAug 21 '09 at 22:39

Is it really necessary to pull the HD out? I think just booting from a live cd (I don't think there are laptops these days without a cd/dvd drive) is more than enough...
–
Igor PopovNov 9 '10 at 21:04

1

@Igor Good point. I'm thinking a criminal would probably be quicker to pull the HD out rather than thinking to boot up from an image of Ubuntu and then mount the drive :)
–
SampsonNov 9 '10 at 22:31

A burglar once took off with two laptops from my employer. These were later found again, with the hard-disks nicely formatted running a Dutch version of Windows XP. (We only use English Windows versions, so we know it was reformatted and not hacked.) The thief got caught when he'd crashed his car while driving the stolen goods to someone who'd ordered them, apparently.

When your laptop is stolen, there's a big chance the thief will just ignore the data on it. The machine has value, the data often not. So encryption and/or passwords? Not such a big deal in this scenario.

But you would be in trouble if someone targets your lattop for data theft. It does need to have some valuable data on it to take the risks, though. Sourcecode of a new product. Creditcard information of visitors from a webshop. Possibly some other data that might interest them. Or maybe just your picture collection from your visit to the nude beach, last summer. If you have some data to protect, you better make sure the data itself is secure. (Thus, encrypt this data!)

However, do keep in mind that if you encrypt your data, then anyone can still access this data if they know your password. Encrypted or not doesn't make a difference in that case. Password strength does, though. Protection is as strong as it's weakest link. So, having a strong password is always best, even if you don't use encryption. (Because it requires someone to take more extreme actions to access your data instead of just logging in.)

If it's a complex password it will be harder or impossible to crack - meaning that yes, the data on the laptop is compromised - but as most people re-use passwords and if the thief can crack your password and figure out who you are, the thief may gain access to other resources of yours as well. Like your Faaaacebook! ^^ (I've heard rumours of banks in other countries actually allowing login with only a password - if that was true then this could mean even more trouble ;)

If it isn't stolen though, it sure makes a difference. But perhaps this computer is not connected to any networks? ;)

Keep in mind that password complexity really is about length - the longer the password the better. Special, hard to remember and type characters makes less of a difference than actual length:

I love my underwear!

"Fa#¤!"#D

Guess which one would take less time to crack? And if the second one is mostly based on a word or a name, like L3gol4s, it would go down fast with a hybrid dictionary attack as far as I know.

I imagine the first one would fall to a dictionary attack pretty quickly as well
–
KeckAug 20 '09 at 16:30

Not really, it needs to be in a phrase dictionary and, well, it's rather easier to make up a passphrase that isn't listed in its entirety, than a single password that isn't in a dictionary. But let's change the example slightly just in case ^^
–
Oskar DuvebornAug 21 '09 at 3:09

1

I dunno, there's no ¤ key on my keyboard..
–
John FouhyAug 21 '09 at 3:18

@John Fouhy try ctrl+alt+4 if you have a american keyboard.
–
IkkeOct 19 '09 at 7:30

In my case, yes. I use Mac OS X and the Keychain feature that comes with it. It stores my passwords to websites and network shares in a secure database that is unlocked when I log in to my laptop.

The passwords in that database are encrypted (Triple DES) and can't be easily exposed just by having physical access to the machine. Likewise, using physical access to reset my account password will disable access to the Keychain database.

What value is your data? Is it more valuable than the hardware itself? Stealing data of an unencrypted drive pretty easy . . . But if you aren't a high value target - just have a reasonably high quality password with letters and numbers and I think you'll be just fine.